Table of Contents
Your email account is the most important account you have. Not your bank account, not your social media, not your cloud storage – your email. The reason is simple: almost every online service uses email for password resets, account verification, and security notifications. Someone who controls your email controls the master key to your entire digital life. As part of your digital privacy and online safety strategy, securing your email account should be your first priority.
Consider the cascade of a compromised email: the attacker resets your banking passwords, receives the confirmation links, changes your social media account recovery options, accesses your cloud storage, and reads every password reset email you have ever received. An estimated 3.4 billion phishing emails are sent daily, and a significant portion target email credentials specifically because attackers understand the cascading value of email access.
Step 1: Create a Strong, Unique Password
Your email password must be:
- Unique – Not used on any other service. Not a variation of another password. Completely independent.
- Strong – At least 16 characters. Randomly generated. Not based on words, dates, names, or patterns.
- Stored in a password manager – A password this strong cannot be memorized, and should not be. Use a password manager like PanicVault to generate and store it. With system-wide AutoFill on iPhone, iPad, and Mac, you authenticate with Face ID or Touch ID and the email password fills in automatically.
If your email password is the same as any other password – especially one from a service that may have been involved in a data breach – change it now. Today. Before reading the rest of this guide.
Step 2: Enable Two-Factor Authentication
Two-factor authentication is the single most important security measure after your password. It ensures that even if your password is compromised, an attacker cannot access your account without the second factor.
For Gmail
- Go to myaccount.google.com > Security > 2-Step Verification
- Enable it and add your preferred second factor:
- Security key (strongest) – A physical key like YubiKey
- Google Authenticator or TOTP app (strong) – Generates time-based codes
- Google prompts (convenient) – Push notification to your phone
- SMS (weakest but better than nothing)
- Generate and save backup codes in your password manager
For Apple (iCloud Email)
Apple requires two-factor authentication for Apple IDs. If it is not already enabled:
- Go to Settings > [Your Name] > Password & Security
- Enable Two-Factor Authentication
- Your trusted Apple devices serve as the second factor
For Outlook/Microsoft
- Go to account.microsoft.com > Security > Advanced security options
- Enable two-step verification
- Set up the Microsoft Authenticator app or a third-party TOTP app
For ProtonMail
- Go to Settings > Security > Two-factor authentication
- Enable and configure with a TOTP app
- Save the recovery codes
Step 3: Review Recovery Options
Your account recovery options are potential backdoors. If an attacker can trigger a password reset and intercept the recovery mechanism, they can take over your account despite your strong password and 2FA.
Review and Secure Recovery Email
If you have a recovery email address:
- Make sure the recovery email account is itself secured with a strong password and 2FA
- Consider whether you still have access to the recovery email
- Remove recovery email addresses you no longer control
Review and Secure Recovery Phone Number
If a phone number is used for account recovery:
- Be aware of SIM-swapping attacks, where an attacker convinces your mobile carrier to transfer your number to their SIM card
- Consider removing the phone number and using only authenticator-based recovery
- If you keep a recovery phone number, set up a PIN or password with your mobile carrier to prevent unauthorized SIM transfers
Save Backup Codes
Most services provide one-time backup codes when you enable 2FA. These codes are your emergency access method if you lose your phone or authenticator app. Store them in your password manager, not on paper or in a text file.
Step 4: Check for Unauthorized Access
Review Active Sessions
Most email providers show you a list of devices and locations where your account is currently signed in.
- Gmail: myaccount.google.com > Security > Your devices
- Outlook: account.microsoft.com > Security > Sign-in activity
- Apple: Settings > [Your Name] (scroll down to see devices)
Sign out of any sessions you do not recognize. If you find unfamiliar devices, change your password immediately.
Check Email Forwarding Rules
A sophisticated attacker may set up an email forwarding rule that silently copies all your incoming email to their address. You would never notice because the emails still appear in your inbox normally.
- Gmail: Settings > See all settings > Forwarding and POP/IMAP
- Outlook: Settings > View all Outlook settings > Mail > Forwarding
- Apple Mail: Check with iCloud Mail settings at icloud.com
Remove any forwarding rules you did not create.
Review Connected Applications
Over time, you may have granted third-party apps access to your email account (“Sign in with Google,” “Connect to Outlook”). Each of these connections is a potential vulnerability.
- Gmail: myaccount.google.com > Security > Third-party apps with account access
- Outlook: account.microsoft.com > Privacy > Apps and services
Revoke access for any application you no longer use or do not recognize.
Check Filters and Labels
Attackers sometimes create email filters that automatically archive, delete, or label certain emails – like security alerts or password reset notifications – to hide their activity.
Review all email filters and delete any you did not create.
Step 5: Choose a Privacy-Respecting Email Provider
Not all email providers treat your data the same way. Your email provider can read the contents of your messages (unless they are end-to-end encrypted) and may use that data for advertising or share it with third parties.
Privacy-Focused Providers
- ProtonMail – End-to-end encrypted between ProtonMail users. Based in Switzerland. No ads, no data mining. Free tier available.
- Tutanota – End-to-end encrypted. Based in Germany. Free tier available.
- Fastmail – Not end-to-end encrypted, but does not mine your email for advertising. Paid service with a strong privacy commitment.
Mainstream Providers
- Gmail – Encrypted in transit and at rest, but Google can read your email and uses it for features like Smart Reply and smart categorization. Google stopped scanning email for ad targeting in 2017, but the data is still accessible to Google.
- Outlook – Similar to Gmail. Encrypted in transit and at rest, but Microsoft can access your email.
- iCloud Mail – Apple does not scan your email for advertising purposes and has a stronger privacy commitment than Google or Microsoft. iCloud data is encrypted, though Apple can access it with a court order unless you enable Advanced Data Protection.
If switching providers is too disruptive, you can still significantly improve your privacy on mainstream providers through the other steps in this guide.
Step 6: Use Email Aliases
Email aliases protect your primary email address from being spread across hundreds of databases, reducing spam and limiting your exposure in data breaches.
Apple Hide My Email
Apple’s Hide My Email (available with iCloud+) generates unique, random email addresses for each service. Emails sent to these addresses are forwarded to your real inbox. If a service starts spamming you or is breached, you can disable that specific alias without affecting your primary address.
SimpleLogin and AnonAddy
Third-party alias services that work with any email provider. They generate unique addresses for each service and forward to your real inbox, with the option to reply through the alias.
Plus Addressing
Gmail and some other providers support plus addressing (yourname+shopping@gmail.com, yourname+banking@gmail.com). This is useful for filtering but provides no privacy benefit since the real address is obvious.
Step 7: Recognize Email-Based Attacks
Phishing
Phishing emails impersonate trusted senders – your bank, your employer, a delivery service, a tech company – to trick you into revealing credentials or clicking malicious links.
Red flags:
- Urgency (“Your account will be suspended in 24 hours”)
- Generic greetings (“Dear Customer” instead of your name)
- Mismatched sender addresses (the display name says “Bank of America” but the email is from randomaddress@gmail.com)
- Links that do not match the supposed sender (hover over links to see where they actually go)
- Requests for personal information via email
Business Email Compromise
Attackers who gain access to a colleague’s or vendor’s email account use it to send fraudulent requests – wire transfers, gift card purchases, credential sharing. These are hard to detect because they come from legitimate accounts.
Malicious Attachments
Email attachments can contain malware. Be cautious with unexpected attachments, even from known senders whose accounts may be compromised. Especially avoid .exe, .scr, .zip files from unexpected sources.
Step 8: Ongoing Maintenance
Email security is not a set-it-and-forget-it task. Include these checks in your regular personal security audit:
- Quarterly: Review active sessions and sign out of unfamiliar devices
- Quarterly: Check forwarding rules and filters
- Quarterly: Review connected third-party applications
- Annually: Review and update your recovery options
- When prompted: Accept security updates from your email provider
Email Security Checklist
- Create a strong, unique password stored in your password manager
- Enable two-factor authentication (preferably authenticator app or security key)
- Save backup codes in your password manager
- Review and remove unrecognized active sessions
- Check and remove unauthorized forwarding rules
- Review and revoke unnecessary third-party app connections
- Check email filters for anything suspicious
- Secure your recovery email and phone number
- Consider a privacy-focused email provider or email aliases
- Set up regular security review reminders
Your email is the foundation. Everything else in your digital security builds on it. Take the time to secure it properly, and every other step in your privacy and security journey becomes more effective.
